If you want to do any MS Terminal Server cracking you basically have your choice of three tools that can do it for you; TSgrinder, TScrack, and a patched version of RDesktop. This article and its companion Video: Terminal Server / RDP Password Cracking, takes you step-by-step through the concepts, tools and usage.

Part 1: MS Terminal Services Overview

Hacking Exposed Windows Server 2003 goes a great overview, I won’t plagiarize it all here, so check it out for me details and the references section of this paper for some MS references.

Prior to Terminal Services, Windows did not provide the ability to run code remotely in the processor space of the server. Another way to put this is there was no way to have an “interactive” session on the server. There were tools like wsremote or psexec or VNC. If an attacker got a non administrator level account on a remote machine they could map shares and copy files but had a difficult time running code on the server. Now, with Terminal Services, an attacker can log on as a non privileged user and run exploit local exploit code via the Terminal Services GUI. These attacks used to be fairly limited to local physical attacks or from users who actually logging into your domain but now if the server has Terminal Services (2000 server 2003 server) or RDP (Windows XP) running the attack vector increases.

Terminal Services by default listen on port 3389 (but can be changed by editing the registry).

Password Cracking Basics

There are three types of password attacks:

Brute Force: A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one. [1] For example, the program might follow a sequence like this:

"aaaaaaaa"
"aaaaaaab"
"aaaaaaac" …

Until the password is found

Dictionary Attack: An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations. [2]

Hybrid Attack: A hybrid attack is a mixture of a brute force attach and a dictionary attack. There are many different ways a hybrid attack can be performed, in it’s simplest form a hybrid attack may simply add a couple of numbers to the end of each dictionary word tried, this increases the number of tested combinations without having to resort to a true brute force attack. Cracking software will often use a combination or selection of all three methods to try and guess your password. [3]

Part 2: TSGrinder

From the TSGrinder website:
“TSGrinder is the first production Terminal Server bruteforce tool. The main idea here is that the Administrator account, since it cannot be locked out for local logons, can be brute forced. Also having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts.

TSGrinder is a "dictionary" based attack tool, but it does have some interesting features like "l337" conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a username/password combination within a particular connection.

Also, the problem you describe can be exacerbated in that administrator account can be brute-forced without creating a log entry, by attempting 5 logons and disconnecting before Windows disconnects and logs after the sixth failure.”

Let’s see TSGrinder in action. I had to use the Windows XP RDP client on Windows2000 SP4 to get TSGrinder to work properly. I did not need roboclient.zip that it mentions on the website.

Figure 2.1: TSGrinder being run with no arguments.

Figure 2.2: TSGrinder using a dictionary attack against the administrator account.

Figure 2.3: A failed attempt.

Figure 2.4: if TSGrinder guesses the password it will log into the terminal services and immediately disconnect.

Figure 2.5: A successful attempt with TSGrinder.

Figure 2.6: TSGrinder supports 2 threads. Here you can see two threads running the attack.

Figure 2.7: A successful attempt with TSGrinder that used 2 threads to run the attack.

Part 3: TScrack

From the TScrack documentation:
“The Windows Terminal Services facility offers graphical desktop sessions to remote clients. Terminal Services enables users to work in a windows session that exists on the server. The client functionality is basically reduced to the functionality of a terminal, all it does is display the session screen, and collect user input.

TScrack applies AI technology (Artificial Neural Networks) to scrape the screen contents of the graphical logon, in order to enable a simple dictionary based cracking algorithm to perform efficiently against the graphically presented logon dialogs and message boxes.

This is very similar to the technology used i.e. in Optical Character Recognition (OCR), Face- and Image recognition in general.

TScrack was written for two purposes:

a) To provide a tool to assess password security of MS RDP servers
b) As proof of concept code, to point out that graphical logons are by no means secure from automated cracking / password guessing tools

Figure 3.1: TScrack being run with no arguments.

Figure 3.2: TScrack being run against a Windows Server 2003 Terminal Server

Figure 3.3: TScrack successfully cracking the password

Figure 3.4: TScrack also does multithreading cracking, use the –t option for 2 connections

Figure 3.5: TScrack with two simultaneous connections running

Figure 3.6: TScrack successfully cracking the password

TScrack was updated to v2.1 to include brute force attacks (something TSGrinder does not do).

Figure 3.11: What I changed the password policy to, to allow “chrisg” as a password

**Note 3: I had to run TScrack 2.1 on windows 2000 machine; it wasn’t working properly on Windows XP SP2. Also, If you are getting a MSRDP.OCX error, then uninstall TScrack using the “-U” option then reinstalling by issuing TScrack.exe –h.

Footnotes

Chris Gates, CISSP, C|EH, CPTS is the operations manager for www.LearnSecurityOnline.com and consultant for Aura Software Security. He also serves as a student mentor and course developer for LSO. Chris has over six years of experience with telecommunications and network security serving in various jobs in the U.S. Military. His computer security interests are in Windows and Web Application security. In addition to the above certifications, Chris also holds his CompTIA A+, Network+, Security+ Certifications and is a Microsoft Certified Professional (MCP) for Server 2003.

Upcoming Industry Events

CarolinaCon 11 The Last CarolinaCon As We Know It More info coming soon. CarolinaCon is an annual conference in North Carolina that is dedicated to sharing knowledge about technology, security and information rights. CarolinaCon also[...]

InfoSec World 2015 The MISTI team is excited to bring you a lineup of conference sessions, workshops and summits that address the most pressing matters in information security today. With a selection of our top-rated[...]

RSA Conference 2015 – USA Same time, same place, same humongous crowds! RSA Conference 2015 is not specifically focused on hacking, pentesting and the like, but it is the largest general information security event and[...]

THOTCON 0x6 THOTCON (pronounced \ˈthȯt\ and taken from THree – One – Two) is a small venue hacking conference based in Chicago IL, USA. This is a non-profit, non-commercial event looking to provide the best[...]

BSides Chicago 2015 Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and[...]

CEIC 2015 It’s no exaggeration to say that CEIC (Computer and Enterprise Investigations Conference) is the biggest digital-investigations conference of its kind and the only one to offer hands-on lab sessions and training for practical skills[...]

OWASP AppSecEU 2015 The BeNeLux chapters will host the OWASP AppSec Europe Research 2015 global conference in Amsterdam, The Netherlands from May 19-22. Amsterdam is the capital of the Netherlands and the largest city of[...]

ShowMeCon 2015 St. Louis’ Hacking & Cyber Security Con ShowMeCon. The name says it all. Known as the Show Me State, Missouri is home to St. Louis-based ethical hacking firm, Parameter Security, and security training[...]